ake78 (3D & photo) - Fotolia
Denial of service, or DoS, attacks emerged in the early days of the web and commercialization of the internet. These attacks literally deny service and make a resource scarce; in many cases, attackers simply ping a network or server to busy it out.
On the defense, enterprises and service providers responded by blocklisting devices where the attacks originated. As the cat-and-mouse games became more sophisticated, attackers started to use thousands of bots to create what are now called distributed DoS (DDoS) attacks.
For example, one attack used several hundred thousand bots in a rotation spread across a bot army of more than 3 million devices to attack a nation-state and shut down a government service. That attack generated over 500 Gbps of traffic.
How to prevent DDoS attacks on networks
How can an enterprise respond? The following three approaches detail how to prevent or respond to DDoS attacks on networks:
- Buy a service from an internet service provider (ISP). Many ISPs offer DDoS mitigation services, but when an enterprise network gets hit, the enterprise needs to report the incident to the ISP to begin mitigation. This strategy is called clean pipe and is popular with ISPs, as they charge for the service, but it often results in a 30- to 60-minute delay before mitigation starts.
- Keep it in-house and DIY. Organizations can prevent and respond to DDoS attacks in-house with an intrusion prevention system, firewall technology and specialized hardware purpose-built to defend against DDoS attacks. Unfortunately, the affected traffic is already on the network eating up valuable bandwidth. That makes this approach best suited to enterprises with equipment in colocation facilities, where traffic reaches ISPs through a cross-connect, which protects downstream bandwidth that goes to the rest of the company.
- Use a content delivery network (CDN). This approach minimizes exposure of corporate infrastructure, as IT teams can place the infrastructure behind a CDN. These networks are large and diverse, and if the organization subscribes to DNS and DDoS mitigation, they can protect e-commerce sites, as well as the enterprise itself.
How to choose a DDoS mitigation option
Which approach is best to respond to or prevent DDoS attacks on networks? As usual in this complex world, it depends. However, few companies beyond large e-commerce providers have the capability to properly implement a DIY approach. Small e-commerce providers should use a CDN, and most midsize firms would do well with some combination of options one and three.
A combination could involve e-commerce on a CDN, with DDoS mitigation needed for enterprise internet access and VPN services. Some providers can do both and simplify contract management.
Dig Deeper on Network Security
Related Q&A from John Cavanaugh
Enterprises looking to maintain VPN security should focus on proper endpoint security and authentication, VPN server security and documentation for ... Continue Reading